FTC's Leibowitz: Beware of 'Cyberazzi'

Federal Trade Commission Chairman Jon Leibowitz put in a pitch for the FTC's "privacy by design" approach to online information sharing Tuesday, using the term "cyberazzi" for the intrusive extremes of an online tracking environment that he says users need more control over.

"A host of invisible cyberazzi -- cookies and other data catchers -- follow us as we browse, reporting our every stop and action to marketing firms that, in turn, collect an astonishingly complete profile of our online behavior. Whenever we click, so do they," he told a National Press Club audience Tuesday.

He made it clear that he was not talking about most online advertisers, but making the point that surreptitiously placed software can turn information into a commodity beyond a user's' control.

His message was essentially that industry was moving in the direction of giving online users more control over tracking. He called it a well intentioned effort that "might just work."

The chairman said an industry-driven do not track regime could help avoid Congress imposing one. He also said such a regime will not end behavioral advertising or the targeted advertising that supports all that free Internet content.

The FTC is agnostic on how that do not track regime develops, he said, so long as it works, which includes being easy to use and easy to find.

And when it comes to children's info, he added, "Cyberazzi need to stay away from our kids, at least without parental consent."

The FTC is preparing recommendations to Congress on protecting privacy in a digital world. It has so far leaned toward self-regulation, but backed by more authority for the FTC to oversee and enforce it. The commission also released in September its recommended fixes to the Children's Online Privacy Protection Act (COPPA), including adding behavioral advertising tracking cookies and geolocation information to the definition of kids' personal information that behavioral marketers and Web sites must get permission from parents to obtain. The administration is also preparing a final report on its similar take on privacy protections.

In response to a question about congressional concern about so-called "supercookies," which Leibowitz described as an online game of whack-a-mole, popping up after users thought they had been dispatched, the chairman said there was a "tension" between those and the FTC's approach to online privacy.

Leibowitz used the event to report that the commission had struck a settlement with p2p service Frostwire (http://www.ftc.gov/opa/2011/10/frostwire.shtm) on charges that it was causing consumers to "unwittingly expose sensitive personal files [including video and photos] stored on their mobile devices, and that it misled consumers about which downloaded files from their desktop and laptop computers would be shared with a file-sharing network."

He said that if the company had adhered to the FTC's privacy by design recommendations, it would have provided its customers with a reasonable expectation of privacy and made its policies clearer.

Leibowitz contrasted the self-regulatory do not track approach the FTC was advocating with the current privacy debate in Europe, which includes whether there should be any online tracking and making it an opt-in regime, which the FTC has not recommended.

Representatives of the various groups were on hand to release a study they say debunks the "myth" that digital data collection is anonymous, one of industry arguments for not over-regulating it. In contrast, the study said, the information is pseudonymous, which means if that pseudonym can be linked with the user, which can happen in a variety of ways, the information is no longer anonymous.

In response to the study's release, the Information Technology and Information Foundation, which represents major computer companies among others, said that the sky was hardly falling.

"Despite the hype, the report merely identified some known technical issues that websites can address to improve privacy," said the group in a statement. "Indeed the author of the report admitted at today's event that he was, 'not alleging any violation of self-regulation.' The fact remains that the vast majority of organizations and businesses on the Internet do not abuse consumer data and have policies and practices in place to protect consumers."

ITIF board members include representatives of Apple, Oracle, IBM, and Microsoft.